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DEFINITION  OF  TERMS 


The  following  terms  are  used  throughout  this  study. 

Advanced  persistent  threat  (APT):  a  cyber- attack  that  utilizes  multiple 
vulnerabilities  to  break  into  a  system,  avoids  advanced  detection  techniques,  and  acquires 
data  or  disrupts  operations. 1 

Blacktopped:  previously  used  parts  that  counterfeiters  make  to  look  new  by 
sanding  original  markings  down  and  remarking  them  with  new  vendor  labels  or  stamps.2 

Counterfeit  part:  a  part  that  has  been  copied  without  a  legal  right  of  authority  by 
the  patent  owner;  an  unauthorized  fake  or  knock  off  part  that  is  misrepresented  by  a 
supplier  in  the  federal  supply  chain;  a  previously  used  part  that  is  made  to  look  as  new 
and  is  sold  as  a  new  part. 3 

Elongated  or  multi-tier  supply  chains:  using  multiple  primary  supply  chain 
sources  to  reduce  manufacturing  costs. 

E-Waste:  electronic  waste  that  has  been  discarded  as  trash  and  is  sold  to 
counterfeiters  who  reprocess  the  parts  and  sell  them  as  original  products.4 

Information  Communication  Technology  (ICT):  refers  to  the  information  and 
communications  technology  (software  and  hardware)  that  enables  cyber  space  domain 
communications . 5 

Insider  Security  Threat:  an  outside  entity  that  poses  to  be  a  legitimate  ICT 
resource  and  resides  within  the  internal  enterprise  network  as  an  insider  with  access  to  the 
organization’s  processes,  data  and  computer  systems.6 

National  Security  System  (NSS):  Title  44  §3532  defines  national  security  system 
as  “. .  .any  information  system  used  or  operated  by  an  agency  or  by  a  contractor  of  an 
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agency,  which:  (A)  involves  intelligence  activities;  (B)  involves  cryptologic  activities 
related  to  national  security;  (C)  involves  command  and  control  of  military  forces;  (D) 
involves  equipment  that  is  an  integral  part  of  a  weapon  or  weapons  system;  or  (E)  is 
critical  to  the  direct  fulfillment  of  military  intelligence  missions.7 

Non-National  Security  System  (NNSS):  a  system  that  is  used  to  support  routine 
administrative  functions  such  as  human  resources,  logistics,  finance,  and  payroll.8 

Original  Equipment  Manufacturer  (OEM):  refers  to  the  company  that  originally 
built  a  product.9 

Supply  Chain  Risk:  risks  that  arise  from  the  confidentiality,  integrity,  or 
availability  of  information  systems  and  reflect  the  potential  adverse  impact  to 
organizational  operations,  organizational  assets,  individuals,  other  organizations,  and  the 
nation. 10 

White  Hat  Hacker:  an  ethical  computer  security  expert  who  specializes  in 
offensive  attacks  and  utilizes  these  skills  to  ensure  the  security  of  ICT. 1 1 
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ABSTRACT 


The  past  decade  has  seen  an  increase  in  the  development  of  proactive  cyber  defense 
methods  that  focus  on  anticipated  future  attack  strategies  and  are  integrated  into  the  cyber 
defense  designs.  The  historic  co-evolution  of  the  attacker  (counterfeiter)  and  defender 
(USAF)  provide  a  conceptual  understanding  on  how  policy  has  failed  to  adequately 
reduce  the  security  risks  that  counterfeit  electronic  parts  present  to  advanced  weapon 
systems.  The  first  part  of  this  study  provides  the  background  and  history  of  counterfeit 
electronics  within  the  Unites  States  Department  of  Defense  (DOD).  The  second  part  of 
the  study  provides  the  current  political,  economic,  social,  technological  and  military 
analyses  on  electronic  counterfeiting  threats,  risks  and  mitigation  strategies  associated 
with  this  phenomenon.  The  research  concludes  with  a  discussion  on  why  the  following 
four  recommendations  are  needed  to  effectively  mitigate  the  threat  and  associated  risks: 
(1)  Increase  funding  to  ensure  anti-counterfeiting  practices  are  built  into  weapon  system 
designs  and  manufacturing;  (2)  Support  the  reclassification  and  treatment  of  counterfeit 
electronics  as  a  cyber- security  insider  threat;  (3)  Increase  threat  awareness  for  leaders  to 
effectively  implement  deterrence  policy  and  strategies;  (4)  Develop  a  proactive  anti¬ 
counterfeiting  framework  that  leverages  predictive  analytics  modeling  and  computational 
criminology. 
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INTRODUCTION 


The  Air  Force  (AF)  has  invested  billions  of  dollars  on  research  and  development 
(R&D)  to  create  the  most  technologically  advanced  and  superior  military  force  in  the 
world  and  will  continue  to  face  challenges  when  trying  to  develop  and  sustain 
technologically  advanced  weapon  systems.  The  safety  of  our  military  men  and  women  is 
dependent  on  the  performance  and  reliability  of  incredibly  sophisticated  technology 
components.  Due  to  globalization,  technology  supply  chains  are  challenged  by  and/or 
plagued  with  businesses  trying  to  meet  the  increasing  demands  for  sophisticated  and 
mature  technologies.  The  use  of  extended  supply  chains  by  DOD  contractors  increases 
the  likelihood  that  suppliers  beyond  the  primary  contractor  could  compromise  supply 
chain  security. 

In  201 1,  the  Senate  Armed  Services  Committee  conducted  an  investigation  into 
the  DOD’s  supply  chain  processes  and  the  potential  for  counterfeit  electronic  parts 
integration  in  advanced  weapon  system  programs. 12  The  outcome  of  the  investigation 
exposed  that  the  defense  supply  chain  utilized  hundreds  of  un-vetted  manufacturers, 
including  China,  to  supply  electronics  on  sensitive  defense  systems.  13 

Some  critics  argue,  however,  that  it  is  challenging,  if  not  impossible,  to  identify 
counterfeit  products  from  the  potential  thousands  of  resistors,  microprocessors  and 
semiconductors  used  to  assemble  a  weapon  system. 14  Regrettably,  without  anti¬ 
counterfeiting  processes  that  inspect  or  analyze  products  carefully,  the  potential  for 
weapon  system  failure  increases  dramatically. 15  This  research  will  focus  on  developing  a 
new  dynamic  supply  chain  defense  framework  that  will  provide  a  proactive  approach  to 
actively  identifying  supply  chain  threats  and  creating  a  comprehensive  response  to 
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suspect  counterfeiting  attacks.  Developing  new  countermeasures  and  improving 
corporate  acquisition  processes  will  help  ensure  the  integrity  of  AF  weapon  systems, 
increase  the  safety  and  security  of  our  military  personnel,  and  save  billions  of  dollars  lost 
each  year  to  cyber  security  attacks. 


BACKGROUND 

Security  concerns  over  supply  chain  counterfeiting  and  malicious  cyber  hardware 
attacks  have  prompted  a  number  of  congressional  investigations.  Subsequently,  these 
inquiries  produced  relevant  research  works  that  have  added  value  to  the  overall  cyber 
security  body  of  knowledge  and  supply  chain  risk  management  areas.  Although  most 
literature  on  these  topics  focuses  on  a  reactive  technical  solution,  the  researcher's 
conclusions  will  be  to  develop  a  predictive  supply  chain  defense  framework  that 
encompasses  a  proactive  defensive  approach  to  actively  identify  and  mitigate  supply 
chain  threats. 

Traditional  approaches  in  supply  chain  risk  management  are  inadequate  against 
today’s  increasingly  sophisticated  supply  chain  attacks,  as  evidenced  by  research  related 
to  this  topic.  16  Arati  Prabhakar,  Director  of  the  Defense  Advanced  Research  Projects 
Agency  (DARPA)  understands  that  a  reactionary  approach  to  fixing  the  cyber  security 
issues  is  not  working. 17  The  complex  and  often  multi-tiered  defense  supply  system  is  a 
difficult  problem  to  isolate  and  systematically  study  to  provide  a  solution.18  Lamb,  Ling 
and  Hayes  explain  that  dynamic  cyber  defense  provides  an  integrated  enterprise  approach 
towards  creating  multiple  layers  of  defense  within  a  system. 19  Each  layer  of  the  system 
serves  to  mitigate  or  reduce  the  threat  and  overall  business  risk. 

Filsinger,  Fast,  Wolf,  Payne,  and  Anderson  have  recognized  that  the  outsourcing 
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of  defense  technologies  by  the  U.S.  and  its  dependence  on  foreign  technology  has  created 
a  supply  chain  vulnerability  that  is  decreasing  AF  technological  advantages  in  many 
areas.20  Additionally,  the  acquisition  of  technologies  both  inside  and  outside  of  the  U.S. 
to  support  mission  critical  systems  increases  our  vulnerabilities  because  there  is  no 
foolproof  method  that  can  detect  inferior  components  or  counterfeit  hardware.21 

Counterfeiting  is  one  of  the  fastest  growing  economic  crimes  of  modern  times  and 
threatens  the  very  fabric  of  our  national  security.  22  This  criminal  empire  knows  no 
boundaries  and  continues  to  affect  businesses,  consumers  and  government  agencies 
around  the  world.  Today,  the  International  Chamber  of  Commerce  estimates  that 
counterfeit  products,  valued  at  $600  billion  annually,  account  for  approximately  5-7% 
of  world  trade.23  There  is  considerable  concern  within  the  federal  contracting  community 
about  the  infiltration  of  counterfeit  parts  into  the  government  supply  chains.  The  ever- 
increasing  reliance  on  global  supply  sources  exposes  the  federal  supply  systems  to  an 
enlarging  risk  of  exploitation  via  counterfeit  materials,  malicious  software  and 
untrustworthy  electronic  products.24 

A  Senate  Armed  Services  Committee  inquiry,  that  spanned  2009-2010,  revealed 
an  abundance  of  counterfeit  products  from  China  in  the  DOD  supply  chain.  Over  the 
course  of  the  investigation,  The  Committee  found  that  more  than  one  million  electronic 
parts  were  suspected  to  be  counterfeit.25  In  2010,  the  committee’s  investigation  found 
that  L-3  Display  Systems  bought  memory  chips  from  an  electronics  distributor  in 
California  that  were  purchased  from  Hong  Dark  Electronics  Trade,  a  company  in  China. 
The  memory  chips  were  used  in  display  systems  installed  on  the  Air  Force  C130J  and  C- 
17  aircrafts  that  provide  the  pilot  with  information  on  the  operation  of  the  aircraft,  such  as 
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engine  status,  altitude,  airspeed,  location  and  navigation  messages.26  Further 
investigations  by  the  AF  revealed,  “...approximately  84,000  suspect  counterfeit 
electronic  parts  purchased  from  Hong  Dark  entered  the  DOD  supply  chain,  and  many  of 
these  parts  have  been  installed  on  DOD  aircraft.”27 

PURPOSE 

The  intent  of  this  problem  solution  study  is  to  explore  the  illicit  electronics 
counterfeiting  industry  and  analyze  how  counterfeit  electronics  are  acquired  through  the 
federal  government  supply  chain,  and  subsequently  installed  in  advanced  weapon 
platforms  in  the  United  States  Air  Force.  The  focus  will  be  on  how  the  current 
Department  of  Defense  supply  chain  risk  model  is  ineffectual  due  to  the  misclassification 
of  counterfeit  electronics  as  an  economic  crime;  the  lack  of  support  and  funding  by  senior 
leaders;  and  that  the  reactionary  nature  of  the  model  prevents  a  proactive  cyber  response 
and  deterrence. 


RESEARCH  METHODOLOGY 

The  literature  review  process  began  with  those  same  three  general  topic  areas,  then 
narrowing  the  search  down  to  more  specific  search  topics  as  the  literature  search 
progressed.  The  goal  was  to  understand  the  current  security  issues  associated  with  global 
supply  chains  and  their  association  with  Air  Force  weapon  system  programs. 

Citation  chaining  will  be  utilized  to  develop  a  broad  exploratory  analysis  of 
available  academic  resources.28  As  part  of  this  research,  an  examination  of  scholarly  peer 
reviewed  journals,  congressional  reports,  testimony,  and  legislation  will  be  studied  in 
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addition  to  international  industry  standards.  The  organization  of  the  literature  review  will 
provide  a  historical  analysis  to  show  familiarity  with  current  initiatives  and  technological 
developments.  Analysis  of  research  reports  provided  by  Washington  Think  Tanks  will 
ensure  current  DOD  programs  are  evaluated  for  efficacy  and  security  considerations. 
Additional  analysis  provided  by  the  National  Institute  of  Technology  (NIST),  Armed 
Forces  Communications  and  Electronics  Association  (AFCEA)  and  the  Institute  of 
Electrical  and  Electronics  Engineers  (IEEE)  will  be  studied  to  provide  an  industry-wide 
review  of  technology  supply  chain  best  practices,  security  vulnerabilities  and  their  effects 
on  Air  Force  weapon  systems. 

The  literature  for  the  study  was  drawn  from  the  following  available  open  source 
online  databases:  Science  Direct,  IEEE  Xplore,  ACM  Digital  Library,  ProQuest,  EBSCO 
Host,  SAGE  Journals,  and  Google  Scholar.  Each  of  these  databases  were  searched 
sequentially  with  a  series  of  search  terms  or  phrases:  supply  chain  security,  DOD 
acquisition  supply  chain,  counterfeit  electronics,  global  supply  chain  counterfeit  security 
concerns,  secure  global  supply  chains,  proactive  approach  to  cyber  security,  dynamic 
cyber  defense,  cyber  security  in  supply  chain,  supply  chain  forensics,  predictive 
analytics,  security  informatics,  computational  criminology.  In  addition,  use  of  citation 
chaining  enabled  discovery  of  additional  relevant  academic  literature.29 

The  researcher  will  use  a  pragmatic  worldview  to  study  the  problem  of  counterfeit 
electronics  in  AF  weapon  systems.  Pragmatism  encourages  the  use  of  multiple  research 
methodologies,  different  worldviews  and  different  forms  of  data  collections.30  Using  a 
qualitative  research  design  and  a  problem-based  research  approach  will  postulate  a 
philosophical  basis  to  study  a  current  technological  security  concern  and  provide 
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recommended  solutions  for  reducing  risk  exposure  of  this  phenomenon.  The  intent  of  the 
qualitative  research  will  provide  a  framework  for  the  researcher  to  compare  and  contrast 
how  the  cyber  security  framework  and  the  supply  chain  risk  management  framework  can 
be  combined  to  develop  a  comprehensive  approach  to  reducing  the  risk  of  counterfeit 
parts  and  sophisticated  electronics  acquisition  into  the  federal  supply  system. 

LITERATURE  REVIEW 


Political  Importance 

Over  the  last  25  years,  the  U.S.  Government  has  conducted  numerous  studies  to 
establish  national  policies  and  organizational  structures  that  would  guide  the  activities 
needed  to  protect  national  security  systems.  During  the  course  of  the  99th  Congress 
(1985-1986),  the  American  Bar  Association,  the  Inspector  General’s  Office  of  the 
Department  of  Health  and  Human  Services,  and  computer  crime  experts  noted  that  the 
lack  of  management,  controls,  and  coordination  of  computer  security  in  the  both  the 
private  and  government  sectors  is  alarming.31  “One  of  the  most  disturbing  findings  from 
this  study  is  that  the  work  environment  provided  the  perpetrators  with  the  opportunity  to 
commit  their  crimes,”  the  Chairman  of  the  President’s  Council  on  Integrity  and 
Efficiency  investigating  computer  crime,  said  when  he  testified  on  October  29,  1985. 32 

In  response  to  the  findings  by  the  99th  Congress,  the  House  Science  and 
Technology  Committee  requested  that  the  U.S.  Government  Accountability  Office 
(GAO)  review  whether  security  controls  were  being  assimilated  into  mission-critical  and 
sensitive  systems  that  were  developed  by  federal  civilian  agencies.  Thomas  B.  Giammo, 
Associate  Director,  Information  Management  and  Technology  Division  of  GAO,  testified 
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that  out  of  the  nine  civilian  agencies  who  were  audited,  all  failed  to  assure  appropriate 
security  controls  were  incorporated  into  the  development  of  mission-critical  or  sensitive 
systems.33  As  a  result  of  the  99th  Congress  testimonies  and  GAO  findings,  the  100th 
Congress  passed  H.R.  145,  The  Computer  Security  Act  of  1987. 

H.R.  145  provided  the  federal  government  a  framework  that  helped  provide 
direction  to  the  mixture  of  laws,  regulations  and  responsible  agencies  regarding  cyber 
security.34  The  bill’s  main  focus  was  securing  the  information  or  data  stored  in  federal 
computer  systems.35  Although  this  bill  did  not  directly  offer  strategies  for  preventing 
counterfeiting,  it  did  provide  the  foundation  for  educating  users  on  cyber  security  related 
issues  and  designated  the  National  Institute  of  Standards  and  Technology  (NIST), 
formerly  the  National  Bureau  of  Standards  (NBS),  as  the  focal  point  within  the 
government  to  develop  computer  security  standards  and  guidelines  for  systems  other  than 
NSS.36 

In  2008,  President  George  W.  Bush  established  the  Comprehensive  National 
Cybersecurity  Initiative  (CNCI)  under  the  National  Security  Presidential  Directive  54 
(NSPD)  54  and  Homeland  Security  Presidential  Directive  23  (HSPD)  23.  The  purpose  of 
these  initiatives  was  to  provide  federal  and  state  agencies  with  strategies,  source 
intelligence  community  vendor  threat  information,  and  guidance  on  how  to  secure 
cyberspace.37  Building  upon  the  CNCI  enacted  by  President  Bush,  President  Barrack 
Obama  characterized  cyber  security  as  “. . ..  one  of  the  most  serious  economic  and 
national  security  challenges  we  face  as  a  nation”  and  ordered  a  thorough  evaluation  on 
how  to  better  defend  the  U.S.  Information  and  Communication  Technology  (ICT) 
infrastructure.38 
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Initiative  Eleven  of  the  CNCI  recognizes  the  need  to  develop  a  “multi-prong 
approach”  to  solving  supply  chain  risk  management  concerns.39  The  goals  of  this 
approach  will  assist  domestic  and  global  supply  chain  with  reducing  the  risks,  threats, 
and  vulnerabilities;  consequences  of  poor  acquisitions  decisions;  development  of  tools 
and  mitigating  techniques;  new  acquisition  processes  and  practices  that  reflect  the 
dynamic  global  marketplace;  and  develop  partnerships  with  industry  to  institute  supply 
chain  risk  management  (SCRM)  standards  and  best  practices  to  help  reduce  risks  across 
the  lifecycle  of  product  development.40 

In  2011,  Section  818,  Public  Law  112-81  (National  Defense  Authorization  Act, 
FY  2012)  mandated  into  law  a  requirement  for  the  DOD  to  conduct  an  assessment  of  the 
current  acquisition  practices  and  policies.  The  law  required  the  DOD  to  develop  an 
inspection  program  that  would  detect  and  avoid  counterfeit  electronic  parts.41  In  response 
to  the  NDAA,  the  DOD  issued  DOD  Instruction  4140.67  (DODI  4140.67),  DOD 
Counterfeit  Policy,  which  established  a  counterfeit  prevention  policy.42  DODI  4140.67 
provided  a  broad  policy  on  supply  chain  counterfeiting  and  delivered  more  informing  and 
assigning,  than  actually  instructing.  For  example,  the  instruction  does  not  provide 
guidance  on  how  to  implement  federal  controls  on  suppliers  nor  does  it  explain  how  it 
will  hold  contractors  accountable  for  detecting  and  avoiding  counterfeit  parts. 

Economic  Impact  Analysis 

The  Report  to  Congress  on  Foreign  Economic  Collection  and  Industrial 
Espionage  investigation  revealed  that  “sensitive  U.S.  economic  information  and 
technologies”  are  the  target  of  intelligence  services  and  private  sector  companies  from  a 
dozen  foreign  countries.43  The  DOD  Director  of  Operational  Test  and  Evaluation  states. 
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“Poor  reliability  is  a  problem  with  major  implications  for  costs. .  .Poor  reliability  leads  to 
higher  sustainment  costs  for  replacement  spares,  maintenance,  repair  parts,  and 
facilities”.44  The  U.S.  government  needs  to  take  a  more  comprehensive  approach  to 
supply  chain  risk  management  (SCRM)  by  developing  a  better  understanding  on  how 
commercial  suppliers  can  ensure  the  integrity  and  fidelity  of  their  products  and 
services.45  The  acquisition  and  utilization  of  counterfeit  and  fake  technology  parts  will 
have  devastating  or  catastrophic  impacts  on  mission  critical  systems  or  advanced  DOD 
weapon  systems.46 

Research  has  shown  that  in  addition  to  national  security  risks,  counterfeit 
electronics  increase  the  cost  of  defense  systems.47  The  Budget  Control  Act  of  201 1  is 
continuing  to  constrain  the  Air  Force's  ability  to  effectively  plan  and  afford  advanced 
weapon  systems.  The  DOD’s  Comptroller  states  that  weapon  system  programs  need  to 
maintain  a  “. .  .buying  only  the  cost-effective  parts  needed  to  accomplish  the  mission” 
approach  and  that  program  managers  need  to  continue  to  evaluate  cost  versus  value.48 
This  guidance  is  in  direct  conflict  of  what  the  Senate  Armed  Services  Committee  (SASC) 
recommended  as  part  of  the  inquiry  and  found  that  counterfeit  electronic  parts  pose  long¬ 
term  sustainment  problems,  which  is  a  major  driver  for  the  overall  cost  of  the  system.49 

The  DOD  Comptroller  released  the  budget  request  for  the  AF  that  is  well  under 
the  required  amount  to  achieve  mission  strategy  in  FY2016.  The  2016  Department  of 
Defense  Budget  request  identifies  increased  spending  for  Science  and  Technology  of 
$12.3  billion,  and  $84.1  million  for  Defense  Acquisition  Workforce  Development  Fund 
(DAWDF).50  Sequestration  will  continue  to  challenge  the  acquisition  and  development  of 
superior  weapons  for  the  foreseeable  future.  These  fiscal  challenges  will  force  military 
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research  and  development  toward  a  less  desirable  weapon  technology  or  force  them  to 
purchase  fewer  weapons  to  ensure  the  integrity  of  design  and  implementation  of  the 
weapon  program. 

The  GAO  report  identified  that  the  main  issues  on  the  developing  advanced 
weaponry  is  the  forced  utilization  of  immature  technologies  in  advanced  weapon 
systems.51  The  upfront  costs  of  products  acquired  through  authorized  sources  are 
typically  higher  than  those  electronic  components  marketed  on  the  open  economy.52 
These  practices  include  sole-sourcing,  outsourcing  and  global  sourcing  of  supply  chain 
vendors.  A  Rand  report  on  the  AF  identified  these  practices  as  being  effective  but  also 
recognized  that  having  fewer  supply  sources  creates  a  strategic  risk  because  the 
overreliance  on  a  sole  source  could  potentially  affect  the  overall  design  and  performance 
of  the  supply  chain  system.53 

The  U.S.  government  is  financially  unable  to  develop  and  manufacture  the 
technological  industrial  base  needed  to  sustain  research  and  development  of  weapons. 

Our  dependency  on  foreign  technology  manufacturing  creates  ample  opportunities  for 
intentional  compromise  of  ICT  components  while  they  are  being  created,  assembled,  and 
delivered  throughout  the  supply  chain.  Introducing  immature  technology  into  an 
advanced  technology  weapon  system  is  concerning  due  to  reliability  concerns  and 
sustainment  operations,  which  account  for  almost  two-thirds  of  the  overall  life  cycle  costs 
of  major  weapon  systems. 

Congressional  testimony  reported  that  the  theft  of  U.S.  Intellectual  Property 
Rights  (IPR)  by  Chinese  counterfeiters  is  creating  significant  national  security 
vulnerabilities  as  well  as  severely  impacting  our  economic  security.54  There  are  about 


11 


200,000  semiconductor  manufacturing  employees  in  America  and  counterfeiting 
operations  put  these  jobs  at  risk  as  well  as  jeopardizes  the  American  jobs  yet  to  be 
created.55  The  Semiconductor  Industry  Association  (SI A)  estimates  that  global 
counterfeiting  operations  cost  the  U.S.  manufacturers  about  $7.5  million  in  lost  revenue 
and  subsequently  1 1,000  U.S.  jobs.  In  April  2012,  an  industry  market  research  firm  (HIS 
iSuppli)  reported  that  the  five  most  prevalent  types  of  counterfeit  products  used  by 
commercial  and  military  industry  (transistors,  analog  integrated  circuit  (IC), 
microprocessor  IC,  memory  IC,  and  programmable  logic  IC)  represent  $169  billion  in 
potential  annual  risk  to  global  electronics  supply  chains.56 

The  estimated  annual  revenue  lost  due  to  ICT  counterfeiting  is  a  staggering  $100 
billion  each  year.57  Notably,  this  dollar  figure  only  accounts  for  the  losses  associated  with 
counterfeit  electronics  and  does  not  account  for  the  repair  or  maintenance  costs  required 
to  repair  defective-bogus  parts.58  For  example,  the  Armed  Services  Committee 
investigation  uncovered  that  the  Missile  Defense  Agency  (MDA)  computers  responsible 
for  Terminal  High  Altitude  Area  Defense  (THAAD)  missiles  contained  suspected 
counterfeit  memory  devices.59  This  cost  the  taxpayer  $2.7  million  to  fix  the  issue. 

Social  Impact  Analysis 

Semiconductors  have  had  a  tremendous  impact  on  our  society.  Mission  critical 
ICT  systems  rely  on  semiconductors  to  provide  the  “brains”  to  power  hardware 
application  that  are  found  in  healthcare,  supervisory  control  and  data  acquisition 
(SCAD A),  automotive  braking,  and  military  and  aerospace  systems.  Because  they  are 
integrated  into  these  vital  ICT  electronic  systems,  counterfeit  semiconductors  create  a 
huge  risk  to  the  health,  safety  and  security  of  people  worldwide.  For  example,  a  broker 
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shipped  counterfeit  semiconductors  that  were  going  to  be  installed  in  radiation  detectors 
used  by  first  responders  during  a  nuclear  accident.60 

The  majority  of  the  ICT  infrastructure  and  manufacturing  capabilities  are  largely 
owned  by  both  national  and  international  small  and  large  businesses.  To  adequately 
address  the  cyber  security  concerns  related  to  supply  chain  counterfeiting  and  theft  of 
intellectual  property,  a  domestic  and  international  partnership  is  needed.61  Equally 
important  is  developing  a  comprehensive  cyber  security  response  that  will  deter 
counterfeiting  operations  from  reaching  U.S.  supply  chains  and  ultimately  protect  the 
U.S.  citizens  and  military  from  the  national  security  threats  created  by  counterfeit  and 
substandard  products.62 

Cyber-attacks  against  the  U.S.  have  increased  in  sophistication  and  severity  due  to 
the  technological  interconnectedness  that  globalization  has  provided.  U.S.  Cyber 
Command  (CYBERCOM)  estimated  that  there  are  approximately  250,000  probes  or 
attacks  every  hour,  or  more  than  six  million  a  day  against  U.S.  government  networks  .63 
An  estimated  three  billion  people  use  the  Internet  daily  and  another  4.9  billion  devices 
are  connected  to  the  Internet  -  a  phenomenon  known  as  the  Internet  of  the  Things 
(IoT).64  It  is  estimated  that  by  2020  the  number  of  IoT  connections  will  be  in  the  excess 
of  25  billion  devices.65 

The  ICT  domain  is  a  critical  element  for  business  success  and  mission 
accomplishments.  It  provides  the  cutting  edge  technologies  that  ensure  the  U.S.  military 
sustains  advanced  weapons  superiority.  The  federal  acquisition  concern  is  the  continued 
reliance  on  foreign  technology  firms  to  support  our  procurement  and  development  of 
advanced  weaponry.  Adversaries  have  recognized  the  U.S.  military’s  constant  demands 
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for  advanced  technology  in  the  midst  of  narrowing  global  supply  sources.  This  supply 
deficiency  provides  an  attack  vector  to  compromise  our  critical  systems  with  counterfeit 
products  or  substandard  semiconductors  and  microprocessors.  Other  than  malicious 
intent,  supply  chain  counterfeiting  is  operated  by  foreign  state  actors  who  are  trying  to 
degrade  the  technological  advances  of  the  US  defense  industrial  base.  The  Senate  Armed 
Service  Committee  found  China  as  the  dominant  source  country  for  counterfeit 
electronics  that  are  infiltrating  our  DOD  supply  systems.66 

To  try  and  improve  the  U.S. -China  relations  and  garner  international  support  to 
end  the  prevalent  counterfeiting  industry  in  Mainland  China,  the  SASC  requested  the 
Chinese  Ambassador  approve  a  U.S.  envoy  to  survey  the  vast  counterfeiting  industry. 
Although  repeated  requests  were  made  to  the  Chinese  Ambassador  and  other  senior 
diplomats  in  Hong  Kong  and  Beijing,  the  committee’s  staff  was  denied  entry.  As  a  result 
of  the  Chinese  Government’s  reluctance  to  help  the  committee's  investigation,  Senator 
Carl  Levin  stated  the  U.S.  should  “....  treat  all  electronic  parts  from  China  as  suspect 
counterfeits.”67 

The  ICT  semiconductors  industry  spends  tens  of  billions  of  dollars  to  research, 
engineering,  development  and  manufacturing  to  ensure  the  products  provided  operate 
reliably.68  Counterfeiters  utilize  poor  manufacturing  techniques  to  copy  stolen  IP 
products  resulting  in  original  component  manufacturer’s  reputation  being  damaged.  More 
importantly  just  one  counterfeit  semiconductor  has  the  capability  to  make  an  entire 
critical  system  to  fail  and  cause  catastrophic  damage  or  even  death. 

Technological  Analysis 

The  unclassified  U.S. -China  Commission  describes  China’s  capabilities  to 
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conduct  advanced  cyber  warfare  and  computer  network  exploitations  (CNE)  through 
malicious  cyber  operations  that  are  often  undetected  by  their  targets.69  Historically  the 
defenses  of  cyberspace  networks  utilized  a  reactionary  intrusion  detection  approach  to 
prevent  ICT  attacks,  such  as  malicious  software  propagation  and  network  intrusions. 
Using  industry  best  practices  for  cyberspace  security,  cyber  security  analysts  (white  hat 
hackers,  red  teams)  are  proactively  scanning  physical  and  logical  enterprise  entry/exit 
points  to  identify  any  security  vulnerabilities  within  the  AF  networks.  Understanding  that 
targeted  CNE  operations  are  successful,  cyber  security  personnel  are  able  to  conduct 
proactive  scanning  operations  to  identify  potentially  harmful  malicious  code  within  the 
AF  networks. 

The  complexity  and  anonymity  of  the  internet  provide  adversaries  with  a  safe 
haven  to  conduct  pervasive  cyber-attacks  aimed  at  industrial  espionage.  Similarities 
between  exploitation  tools  and  tactics  among  nation  state  attackers  are  making  it  harder 
to  attribute  cyber  intrusions.70  The  increase  in  non-attribution  could  be  related  to  the  wide 
spread  availability  and  use  of  open  source  malicious  software,  network  exploitation  tools, 
and  commercial  anonymity  services.  The  decrease  in  reported  incidents  may  also  be  due 
to  the  intelligence  communities  concern  with  attribution  being  overshadowed  by  the 
private  sector’s  desire  to  prevent  certain  of  types  of  cybercrime. 

The  process  to  engineer  a  trusted  electronics  component  requires  a  significant 
investment  in  time  and  money  to  protect  the  product  from  compromise  and  ensure  the 
overall  integrity  of  the  weapon  system.  The  Air  Force  Research  Laboratory  (AFRL) 
requires  that  hardware  and  software-intensive  systems  demonstrate  an  appropriate  level 
of  maturity  before  they  can  be  introduced  into  a  weapons  program.71  As  a  result  of  the 
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long  AFRL’s  development  stages,  DOD  contractors  are  more  likely  to  use  commercial 
technology  supply  chains  to  fill  the  void  of  mature  DOD  technologies  thereby  increasing 
the  chances  of  receiving  counterfeit  electronics. 

The  fidelity  and  integrity  of  sophisticated  technology  relies  upon  a  trusted  DOD 
procurement  process.  However,  due  to  globalization  and  the  demand  for  mature 
technologies,  the  federal  supply  chains  capable  of  providing  sophisticated  and  trusted 
technologies  are  narrowing.  As  a  result,  U.S.  defense  contractors  who  are  unable  to 
afford  the  mature  technology  components  manufactured  within  the  U.S.  may 
unknowingly  purchase  substandard  materials  and  parts  from  third  party  suppliers  or 
foreign  competitors  to  avoid  costly  contract  overruns.  This  federal  contracting  approach 
increases  the  chances  of  counterfeit  or  substandard  technology  entering  the  AF  supply 
chain. 

Military  Analysis 

The  national  security  concerns  regarding  counterfeit  electronics  installed  in 
advanced  weapon  platforms  are  well  documented  by  numerous  Congressional  Committee 
Investigations,  Scientific  Communities,  and  independent  researchers.  Counterfeit 
electronics  have  been  found  installed  in  C-130J,  C-17,  C-27J,  P-8A  Poseidon,  AH-64 
military  aircraft,  as  well  as  the  computers  that  control  the  Terminal  High  Altitude  Area 
Defense  (THAAD)  missile.  Subsequent  to  these  findings,  industry  best  practices  were 
compiled  and  instituted  by  the  United  States  Federal  Supply  Chain  system  to  reduce  the 
security  risks.  Within  the  ICT  community,  the  current  supply  chain  risk  management 
framework,  developed  and  instituted  by  the  National  Institute  of  Standards  and 
Technology  (NIST),  uses  a  reactionary  approach  to  reducing  counterfeit  electronics.  As 
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new  counterfeiting  techniques  are  discovered,  the  Federal  Acquisition  Regulation  (FAR) 
System  creates  defensive  security  controls  to  identify  and  respond.  There  is  an  immediate 
concern  for  military  leaders  and  weapon  system  manager  to  increase  the  awareness  on 
this  threat  to  ensure  adequate  security  is  in  place. 

Nation  States:  Sources  of  Counterfeits 

The  Office  of  the  National  Counterintelligence  Executive  (ONCIX)  states, 
“Chinese  actors  are  the  world’s  most  active  and  persistent  perpetrators  of  economic 
espionage.”72  China  was  the  number  one  source  of  counterfeit  products  seized  on  the 
U.S.  border  in  20 14. 73,74  It  is  estimated  that  20  percent  of  consumer  products  in  the 
Chinese  market  are  suspected  as  counterfeit.  The  complexity  and  diversity  of  the  federal 
ICT  supply  chain  provides  significant  opportunities  for  the  insertion  of  counterfeits, 
unauthorized  production,  tampering,  theft,  and  insertion  of  malicious  software  and 
hardware.75  There  is  also  the  threat  of  trade  secret  thefts,  which  can  occur  when 
employees  leave  the  company  with  portable  storage  devices  containing  proprietary 
information,  cyber  intrusions,  and  failed  joint  ventures.76 

Senator  Carl  Levin,  Chairman,  Committee  on  Armed  Services,  testified  that  the 
investigation  into  the  DOD  supply  chain  revealed  that  each  of  the  defense  contractors  and 
ICT  brokers  interviewed  all  pointed  toward  China,  specifically  the  City  of  Shenzhen  in 
Guangdong  Province  as  the  primary  source  of  counterfeit  electronic  parts.77  In  March 
2015,  the  United  States  Trade  Representative  (USTR)  created  a  “Notorious  Markets 
List”,  detailing  the  worst  markets  that  sell  counterfeit  goods.  The  report  noted  that  China 
remains  one  of  the  primary  distribution  channels  for  pirated  and  counterfeit  goods  in 
much  of  the  world.78  This  report  also  provides  the  U.S.  and  foreign  governments  with  a 
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prioritized  list  of  IPR  enforcement  areas  around  the  world. 

Pursuant  to  Section  182  of  the  Trade  Act  of  1974,  and  as  amended  by  the 
Omnibus  Trade  and  Competitiveness  Act  of  1988  and  the  Uruguay  Round  Agreement 
Act  (19  U.S.C.  §  2242),  the  Special  301  Report  is  conducted  annually  to  review  the  status 
of  the  intellectual  IPR  protection  and  enforcement  in  the  U.S.  and  around  the  world.79 
The  purpose  of  the  report  is  to  encourage  and  sustain  adequate  and  effective  IPR 
enforcement  worldwide  and  captures  a  range  of  concerns  including:  (a)  deterioration  in 
IPR  protection;  (b)  inadequate  trade  secret  protection  in  China,  India  and  elsewhere;  (c) 
online  copyright  piracy  in  countries  such  as  Brazil,  China,  India,  and  Russia.80 

Counterfeit  Parts  Interdiction  Efforts 

President  Obama  announced  the  creation  of  the  Interagency  Trade  Enforcement 
Center  (ITEC)  during  his  2012  State  of  the  Union  address.81  The  purpose  of  the  ITEC  is 
to  provide  a  whole-of-government  approach  to  protecting  and  enforcing  American  trade 
rights  around  the  world.  A  primary  concern  with  current  anti-counterfeiting  efforts  is  the 
dynamic  nature  of  counterfeiting  techniques.  As  anti-counterfeiting  tools  are  developed, 
the  counterfeit  supplier  has  already  changed  its  attack  vector  to  circumvent  mitigating 
operations.82  Counterfeiting  and  piracy  trends  listed  in  the  2015  Special  301  Report, 
identify  that  preventive  measure  are  often  thwarted  because  counterfeiters  are  using 
legitimate  mail,  international  couriers,  and  postal  services  to  deliver  counterfeit  and 
substandard  goods.83  Effective  border  control  and  enforcement  at  the  borders  will  help 
prevent  the  exportation  and  flow  of  counterfeit  products  from  the  country  of  origin.84 

DOD  electronic  suppliers  suggest  that  if  the  electronic  component  passes  the 
contractor  implementation  test  than  the  part  should  be  considered  new  and  not  suspect  to 
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counterfeit.  However  the  original  manufacturer  and  DOD  leaders  argue  that  this  is  not  the 
case  and  electronic  suppliers  should  be  held  liable  for  any  maintenance  or 
replacements.85  An  identified  problem  is  waste  electronic  parts  that  are  discarded  for 
recycling  are  being  repackaged  and  sold  as  new  products.  Counterfeit  parts  can  also  be 
parts  that  have  been  used,  discarded  and  repackaged  as  a  new  electronic  product. 

In  Fiscal  Year  2014,  U.S.  Customs  Border  Patrol  and  the  General  Administration 
of  China  Customs  (GACC)  conducted  joint  IPR  enforcement  operations  to  interdict 
shipments  of  consumer  electronics.  Although  the  Chinese  government  is  ramping  up 
efforts  to  curtail  Mainland  counterfeiting  operations,  it  is  estimated  that  almost  63  percent 
of  the  IPR  infringing  products  were  seized  at  U.S.  ports  in  Fiscal  Year  2014;  25  percent 
transshipped  from  Hong  Kong.86 

Open  source  U.S.  Intelligence  report  that  the  Main  Intelligence  Directorate  of  the 
General  Staff  of  the  Armed  Forces  of  the  Russian  Federation  (GRU),  is  conducting  a 
range  of  activities  to  “...collect  economic  information  and  technology  from  U.S. 
targets.”87  A  majority  of  Russian  Intelligence  counterfeiting  efforts,  includes,  but  is  not 
limited  to  online  piracy  and  trademark  counterfeiting.  The  Special  301  Report 
investigations  revealed  that  Chinese-origin  electronic  counterfeit  products  are  shipped 
unrestricted  from  the  Kazakhstan-China  border  and  through  Kyrgyzstan,  into  Russia.88 

Predictive  Analytics  and  Computational  Criminology 

“We  must  avoid  out  historical  pattern  of  drawing  down  too  fast  and  getting  too  small, 
especially  since  our  record  of  predicting  the  future  has  not  been  very  good.  As  we  make 
difficult  resource  decisions,  we  must  be  thoughtful  in  understanding  the  risk  we  incur  to 
our  nation’ s  future  security”  General  Raymond  Odierno89 

The  ability  to  predict  future  attacks  and  outcomes  provides  a  significant  strategic 
operational  advantage  for  military  leaders  and  planners.  Effectively,  this  approach  is 
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already  in  use  by  law  enforcement  and  cyber  security  analysts  who  utilize  predictive 
analytics  to  compute  the  possibility  of  certain  types  of  crime  and  cyber- attacks.  Using 
intelligence  information  and  crime  statistics  from  known  or  past  events  criminologists 
and  security  analysts  are  able  to  predict  future  attacks  and  proactively  establish  a 
formidable  targeted  counter  defense. 

Organizations  that  have  already  implemented  statistical  defense  based  systems 
understand  that  this  defense  approach  is  not  immediate  and  requires  a  significant  amount 
of  resources  to  compile  the  variables  and  empirical  data  needed  to  develop  a  functional 
predictive  analytics  model.90  By  using  predictive  analytics,  organizations  are  capable  of 
identifying  internal  and  external  threats  by  creating  independent  risk  calculations  and 
detecting  deviations  from  the  norm.91 

The  AF  Office  of  Scientific  Research  (OSR)  is  currently  researching  the 
discovery  of  mathematical  laws  that  leverage  reliable  and  robust  algorithms  and  human 
machine  decision  making  to  develop  accurate  real-time  projections  of  the  dynamic  battle 
space.92  For  example,  the  Computational  Cognition  and  Machine  Intelligence  area  is 
focused  on  developing  innovative  research  using  high-order  cognitive  processes  that  will 
help  increase  human  performance  during  complex  decision  making. 

RECOMMENDATIONS 

Recommendation- 1:  The  cost  of  doing  business 

The  current  DOD  anti-counterfeiting  approach  as  described  and  documented  in 
DODI  4140.67,  DOD  Counterfeit  Prevention  Policy,  and  NIST  800-161,  Supply  Chain 
Risk  Management  Practices  for  Federal  Information  Systems  and  Organizations,  where 
the  risk  management  frameworks  both  suggest  a  reactionary  approach  to  responding  to 
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electronic  counterfeiting  incidents.  The  ICT  SCRM  provides  guidance  on  how  the  federal 
government  should  implement  SCRM  at  all  levels.  ICT  SCRM  includes  all  activities 
related  to  weapon  system  development  lifecycle,  such  as  research  and  development,  and 
disposal  and  retirement  of  ICT  equipment  (software  and  hardware). 

The  ICT  SCRM  framework  builds  on  the  four  pillars  of  cyber  security:  security, 
integrity,  resilience,  and  quality,  which  are  the  fundamental  attributes  that  must  be 
present  to  effectively  manage  supply  chain  security.  The  security  supply  chain 
encompasses  the  security  triad  (confidentiality,  integrity,  and  availability  (CIA)). 

Integrity  protects  information,  systems  and  services  from  unauthorized  modifications  and 
ensures  that  supply  chain  products  are  genuine  and  will  perform  according  to  documented 
manufacturer  specifications.  Resilience  ensures  that  ICT  supply  chain  products  will 
remain  available  during  stress  of  failure.  Quality  helps  reduce  the  vulnerabilities  that  may 
lead  to  system  or  component  failure  and  provide  exploitation  capabilities. 

Understandably  there  will  be  costs  associated  with  federal  risk  mitigation 
techniques  but  the  concern  is  that  the  risk  is  being  offset  to  the  men  and  women  in 
uniform  in  addition  to  jeopardizing  our  national  security.  The  implementation  of  the 
NIST  800-161  ICT  SCRM  framework  involves  increased  cost  due  to  required  changes  in 
manufacturer  product  development  and  oversight.  Regrettably,  the  guidance  provided  by 
the  NIST  800-161  framework  does  little  to  enforce  the  best  practices.  Similarly,  DOD 
4140.67  guidelines  only  instruct  supply  chain  acquirers  on  how  to  reduce  supply  chain 
counterfeiting  but  fail  to  actually  enforce  compliance.  For  example,  the  NIST  800-161 
states,  “Acquirers  should  evaluate  and  weigh  the  costs  of  adding  ICT  SCRM 
requirements  into  agreements  against  the  risks  to  organizations  of  not  adding  ICT  SCRM 
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requirements”.  93  This  guidance  is  counterintuitive  to  Public  Law  112-81,  National 
Defense  Authorization  Act  for  Fiscal  Year  2012,  that  requires  DOD  Contractors  at  all 
tiers  be  responsible  for  .  ..detecting  and  avoiding  the  use  or  inclusion  of  counterfeit 
electronic  parts”  and  “. .  ..the  cost  of  rework  or  corrective  action  required  to  remedy  the 
use  or  inclusion  of  such  parts  are  not  allowable  costs  under  Department  contracts”.94 
Therefore,  the  cost  of  ICT  integrity  and  authenticity  should  already  be  expected  and  DOD 
contractors  have  a  duty  to  conduct  anti-counterfeiting  due  diligence. 

Finally,  the  DOD  weapon  system  program  managers  (military,  government  or 
civilian)  need  to  be  held  responsible  for  ensuring  the  integrity  of  their  weapons  systems 
platform.  The  current  DOD  guidance  presented  in  this  research  does  little  to  provide 
instructions  on  who  and  what  should  enforce  the  anti-counterfeiting  efforts  within  the  Air 
Force.  As  the  research  has  discovered  the  answers  to  these  questions  are  buried  in  pages 
upon  pages  of  government  testimony,  Federal  Acquisition  Regulations,  DOD  research 
and  directives,  all  of  which  refer  to  one  another  without  clearly  delineating  the 
responsible  entity. 

Recommendation  2:  Reclassify  Counterfeit  ICT’s  as  a  Cyber  Intrusion 

The  deliberate  misrepresentation  or  modification  of  any  ICT  electronic 
component  by  a  known  adversarial  nation  state  needs  to  be  reclassified  as  a  cyber-attack 
and  not  only  as  an  economic  crime.  Nation  states  are  knowingly  developing  counterfeit, 
and  substandard  electrical  components  that  are  directly  targeting  our  national  defense 
industrial  base.  The  global  supply  chain  threat  has  emerged  into  an  intricate  criminal 
cyber  ecosystem  that  has  developed  into  a  multibillion-dollar  business  complete  with  a 
management  structure,  quality  control  and  global  customer  base. 
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One  of  the  biggest  ICT  security  concerns  affecting  the  Federal  Government  is 
described  as  the  insider  threat.  A  2014  industry  survey  of  200  ICT  security  decision 
makers,  working  within  the  Federal  Government,  was  conducted  to  research  insider  and 
external  ICT  security  threats.  The  organizations  represented  federal,  civilian  or 
independent  government  agency  (54%),  DOD  or  military  service  (39%),  federal  judicial 
branch  (3%),  intelligence  agency  (3%)  and  federal  legislature  (2%)  (Appendix-A).  The 
survey  results  concluded  that  the  largest  source  of  cyber  security  risks  at  federal  agencies 
are  insider  threats  (53%)  followed  by  hacking  (46%),  foreign  governments  (38%), 
hacktivist  (30%),  malicious  insiders  (23%)  and  terrorists  (18%)  (Appendix-B). 

The  insider  threat  is  typically  characterized  as  an  employee  who  has  authenticated 
to  the  internal  enterprise  network  and  purposively  conducts  malicious  activities  to 
disrupt,  deny  or  steal  information  systems.  However,  the  researcher  is  presenting  the 
insider  threat  as  an  appliance  or  electrical  component  that  infiltrates  a  weapon  platform 
through  the  Federal  Supply  system.95  For  example,  China’s  intelligence  agencies 
recognize  that  the  USAF  is  still  maintaining  mission  critical  legacy  aircraft;  they 
understand  the  budgetary  constraints  imposed  by  sequestration;  they  know  legacy 
replacement  parts  for  these  aircrafts  are  difficult  to  find96  and  the  economic  theory 
associated  with  supply  and  demand  costs.  Leveraging  this  information  from  these  factors, 
China  now  has  a  predefined  attack  vector.  Using  social  engineering  and  advanced 
counterfeiting  techniques,  China  is  able  to  break  into  a  weapon  system  and  deliver 
targeted  malware  or  a  substandard  electrical  component.  The  discovery  of  this  intrusion 
is  very  difficult  using  the  current  ICT  SCRM  framework  because  the  electronic 
component  appears  and  functions  as  an  OEM  product  until  system  failure.  The  insider 
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ICT  threat  is  a  vetted  electrical  component  within  a  trusted  environment  and 
surreptitiously  lies  dormant  in  a  vulnerable  weapon  system. 

An  investigation  by  the  U.S.  House  of  Representatives  on  the  U.S.  National 
Security  Issues  by  Chinese  telecommunication  companies  Huawei  and  ZTE  describes  the 
groundwork  for  an  advanced  persistent  threat.97  The  investigation  revealed  that  sensitive 
U.S.  government  systems  should  not  use  ICT  components  from  these  companies  due  to 
counterintelligence  and  cyber  espionage  concerns.98 

Using  counterfeit  NNSS  ICT  equipment  purchased  from  China  is  a  significant 
vulnerability  for  U.S.  national  security.  The  concern  arises  from  counterfeit  ICT  routers 
or  switches  purchased  from  China  that  are  plagued  with  security  holes  and  backdoors 
enabling  them  for  surveillance.99  Acting  as  an  insider  threat,  the  compromised  ICT 
appliance  hardware  creates  a  significant  advanced  persistent  threat. 

Recommendation  3:  Senior  Leadership  Support 

Cyber  security  awareness  issues  that  resonate  with  senior  military  and  DOD 
leaders  typically  involve  discussions  around  supervisory  control  and  data  acquisition 
(SCAD A)  threats,  malware,  theft  of  intellectual  data  and  cyber  intrusions.  Cyber  security 
concerns  related  to  counterfeit  electronics  are  not  considered  high  priority  and  are  often 
left  out  of  leadership  top  security  issues.  Navy  Adm.  Michael  S.  Rogers,  the  Commander 
for  the  United  States  Cyber  Command  (CYBERCOM),  provided  an  executive  overview 
on  the  main  cyber  threats  facing  the  U.S.  Although  he  described  the  above-mentioned 
cyber  threats,  Adm.  Rogers  did  not  identify  any  cyber  security  concerns  related  to 
counterfeit  electronics  found  in  advanced  weapon  systems. 

To  mitigate  the  high-risk  level  associated  with  counterfeit  electronics,  leaders 
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need  to  understand  the  threat  capability.  Additionally,  the  anti-counterfeiting  budget 
needs  to  recognize  this  persistent  threat  by  providing  adequate  funding  for  the  research 
and  development  of  new  and  innovated  ways  to  identify  and  discern  substandard 
electrical  components. 

Recommendation  4:  Proactive  Network  Defense:  Preventing  ICT  Counterfeiting 

The  ability  to  develop  techniques  that  provide  security  mangers  with  actionable 
intelligence  to  predict  human  behavior  has  gained  considerable  interest.  Predictive 
analytics  uses  empirical  data  (public  or  private)  to  try  and  determine  future  cyber-crime 
actions.  Law  enforcement  officials  are  currently  using  predictive  analytics  to  identify 
future  criminal  activities  based  on  social  media  activity. 

Criminal  justice  researchers  have  leveraged  the  emerging  field  of  computational 
criminology,  which  combines  the  advances  in  computer  technology  and  crime  statistics, 
to  help  predict  future  crime  in  geographical  areas.  This  same  approach  can  be  used  to 
develop  innovative  methodologies  to  understand  the  AF  counterfeiting  cyber-crime 
phenomena  and  aid  in  the  geographical  targeting  of  anti-counterfeiting  efforts.  The 
capability  to  simulate  the  probability  of  counterfeiting  techniques  and  patterns  highlights 
the  benefits  of  the  computation  criminology  field.  By  studying  the  conditions  that 
influence  counterfeiting  activities,  such  as  electronic  E-waste,  anti-counterfeiting  efforts 
can  target  specific  electronic  components  and  simulate  potential  supply  chain  security 
risks. 

Applying  predictive  analytics  and  computational  criminology  to  the  AF  supply 
chain  counterfeiting  problem,  researchers  can  model  an  adversary’s  behavior  by  studying 
temporal  events  and  using  these  incidents  to  identify  certain  indicators  or  trade  crafts  to 
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simulate  areas  of  interest  and  propose  anti-counterfeiting  strategies.  For  example,  let’s 
assume  the  triggering  event  is  categorized  as  300,000  semiconductor  components  (E- 
waste)  are  sold  to  China.  Using  predictability  assessments  and  computational 
criminology  simulations  on  the  known  purchaser,  we  can  identify  past  criminal  behavior 
that  can  be  studied  to  ascertain  the  counterfeit  attack  strategy;  the  adaptive  behavior  of 
the  counterfeiter  to  previous  anti-counterfeiting  enforcement  strategies;  and  also 
understand  the  current  criminal  counterfeiting  patterns  used  in  that  geographical  region. 

CONCLUSION 

The  information  presented  throughout  this  research  highlights  the  significance  of 
electronic  counterfeiting  security  risks;  the  historical  implications  of  poor  anti¬ 
counterfeiting  strategies;  and  the  lack  of  overall  counterfeiting  cyber  security  awareness. 
The  risk  of  counterfeit  electronics  existing  in  AF  weapons  systems  is  a  significant 
securities  concern  for  military  leaders  and  more  importantly  our  Airmen  who  we  call  on 
to  achieve  political  and  strategic  objectives  around  the  globe. 

The  AF  supply  chain  risk  management  approach  is  a  policy  driven  methodology 
for  conducting  risk  management  and  identifying  associated  mitigation  costs.  Military 
budget  sequestration  has  created  a  significant  impact  on  weapon  system  platforms  and 
more  often  the  risk  versus  cost  trade  off  occurs.  However,  the  cost  of  not  funding 
appropriate  risk  mitigation  strategies  implies  we  are  accepting  the  risk  and  transferring 
the  possibility  of  weapon  system  failure  to  our  Airmen.  This  is  an  irresponsible  approach 
towards  managing  men  and  women  in  uniform  as  well  as  the  development  of  advanced 
weapon  platforms.  We  owe  this  cost  burden  to  our  Airmen  and  AF  leaders  must  ensure 
adequate  funding  is  provided  to  guarantee  anti-counterfeiting  techniques  are  factored  into 
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all  AF  weapon  system  development  and  maintenance  (to  include  replacement  parts).  This 
cyber  security  threat  will  require  additional  appropriation  funding  in  the  future  to 
adequately  support  the  development  of  sophisticated  anti-counterfeiting  strategies; 
targeted  intelligence  operations;  and  ensuring  contractors  are  conducting  due  diligence  in 
preventing  electronics  counterfeit  products  from  entering  the  federal  supply  chains. 

The  military  systems  ensure  our  national  security  and  protect  the  military  men  and 
women  in  uniform  who  are  dependent  on  the  performance  and  reliability  of  incredibly 
sophisticated  technology  components.  Fighter  pilots  and  Special  Forces  conducting 
coordinated  operations  rely  on  night  vision  systems,  air-to-ground  radios  and  laser- 
guided  bombs,  all  of  which  are  enabled  by  semiconductors  and  microprocessors  that  are 
incredibly  small.  Military  men  and  women  rely  on  the  performance  and  dependability  of 
highly  sophisticated  technology  to  preserve  a  technological  advantage  on  the  battlefield 
against  our  adversaries. 100  Consequently,  the  failure  of  any  electrical  component  or 
semiconductors  can  leave  a  soldier,  Airman,  sailor,  or  Marine  vulnerable  to  defeat. 101 
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APPENDIX  A 


Demographics  on  Federal  Cyber  Security  Survey 


RESPONDENT  CLASSIFICATIONS 


x 


Organizations  Represented  soiarwmds  ^ 

•  If  a  respondent  did  not  work  for  any  of  the  specific  organization  types  noted  below,  the  survey 
was  terminated. 


Organizations  Represented 


Federal,  Civilian  or  Independent 
Government  Agency 


Department  of  Defense  or 
Military  Service 


Federal  Judicial  Branch 


Intelligence  Agency 


Federal  Legislature 


N=200 


El 


Which  of  the  following  best  describes  your  current  employer? 
What  agency  do  you  work  for? 


Sample  Organizations  Represented 

(In  Alphabetical  Order) 

Air  Force 

Department  of  the  Interior  (DOI) 

Army 

Department  of  Transportation 
(DOT) 

Department  of  Agriculture  (USDA) 

Department  of  Commerce  (DOC) 

Department  of  Treasury  (TREAS) 
Department  of  Veteran  Affairs 
(VA) 

Department  of  Defense  (DOD) 

Environmental  Protection  Agency 
(EPA) 

Department  of  Energy  (DOE) 

Judicial/Courts 

Department  of  Health  and  Human 
Services  (HHS) 

Marine  Corps 

Department  of  Homeland  Security 
(DHS) 

National  Aeronautics  and  Space 
Administration  (NASA) 

Department  of  Labor  (DOL) 

Navy 

Department  of  Justice  (DOJ) 

Social  Security 
Administration  (SSA) 

Department  of  State  (DOS) 

US  Postal  Service  (USPS) 
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APPENDIX  B 


Survey  results  identifying  cyber  threat  sources. 


IT  SECURITY  OBSTACLES,  THREATS  AND  BREACHES 


X 


Sources  of  Security  Threats  soiarwmds  < 

•  Careless/untrained  insiders  are  noted  as  the  largest  source  of  security  threat  at  federal 
agencies.  This  has  increased  from  42%  in  the  SolarWinds  CyberSecurity  Survey  conducted  in 


Q1  2014. 

Careless/untrained  insiders 
General  hacking  community 
Foreign  governments 
Hacktivists 
Malicious  insiders 
Terrorists 
For-profit  crime 
Industrial  spies 
Other 

Unsure  if  these  threats  plague  my  agency 
None  of  the  above  plague  my  agency 


N=200 

Note:  Multiple  responses  allowed 


What  are  the  greatest  sources  of  IT  security  threats  to  your  agency?  (select  all  that  opj 


30%  40%  50%  60% 

cz>  =  statistically  significant  difference 
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